Openssl verify: unable to get issuer certificate

Hi, I have an unusual problem. I’m trying to double check that the fullchain matches the certificate before uploading it to load balancer (both files were generated by certbot). I keep getting the usual “unable to get issuer certificate” error. The thing is - my colleague is verifying the same two files, and everything is okay. She’s using an older version of openssl on Linux. We can’t figure out what’s causing the different output.

===
I ran this command: openssl verify -CAfile fullchain.pem cert.pem

It produced this output:

cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

Operating system: MacOS Mojave 10.14.6

openssl version: LibreSSL 3.0.2

1 Like

Well, that’s not actually OpenSSL :wink:

Anyway, it should be compatible, but perhaps there are small differences.

fullchain.pem contains cert.pem and chain.pem in one file. Verification should be done using the certification doing the actual signing, which is chain.pem. So perhaps exchanging fullchain.pem with chain.pem in your command does the trick.

1 Like

That is a fair point about LibreSSL :smiley:

I did try with chain.pem as well, and got the same result.

Hi,

When you specified CAfile, it actually wants the root certificate for the certificate chain (which should be automatically included with Linux OSs, but have some trouble for Windows and MacOS).
When OpenSSL tried to connect to the server, it’ll try to build the certificate to an trust chain, which would ultimately goes to ISRG ROOT or Identrust root. However, when you specified fullchain.pem or even chain.pem, it doesn’t contain the root certificate (only either intermediate or leaf certificate, or both). In this case, as you’ve specified CAfile in the command, OpenSSL will not attempt to use your OS’s CA Trust store, and hence the “Unable to get issuer certificate” error occured.

To successfully test your certificate, you can try to run the command without CAfile option, or with the actual CA file located on https://letsencrypt.org/certificates/ . Try to use the Identrust certificate because I think the default chain still goes to Identrust CA.

In short, download Identrust CA from https://letsencrypt.org/certificates/ and use that as your CAfile, not your fullchain or chain.pem

Thank you

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.